Nipun Jaswal interveiw ~ A Wellknown Security Researcher in india

Nipun Jaswal is a name that doesn’t need any introduction. Nipun is an information security specialist with a keen interest in the fields of penetration testing. He is the Author of Mastering Metasploit Book.

Hi, My Name is Nipun Jaswal. I am an IT Security Guy with keen interest in VAPT, Wireless, Mobile Security and Exploit Development. Presently, I am working as a Chief Cyber Security Architect for a Confidential Organization in United Kingdom. I am the author of “Mastering Metasploit” Book by PACKT Publishing Ltd. I hold C|EH, CISE, and OSWP Certification and obtained Masters in Technology (M.tech) in Computer Science. Additionally, during my studies, I was the ambassador for EC-COUNCIL programs in my university.

I have a collective experience of over 6+ years in IT Security and i run my Web Application Penetration Testing Course for InSecTechs, Hyderabad through distance learning Packages. I have delivered 90+ workshops on ethical hacking and penetration testing among various reputed colleges in India and have delivered corporate trainings on Exploit development and Penetration testing in India and regions of Africa. I spoke at various IT security conferences, some of my articles and research papers are available on the internet, and you can find some in popular security magazines like Hakin9 and EForensics (Wireless Forensics, iOS forensics, Mobile forensics). I have been acknowledged to find vulnerabilities in Offensive Security, Rapid7, AT&T, Facebook, Apple, BlackBerry, Redhat, Nokia, Microsoft, Adobe, Baracudda Labs, Kaneva, Zynga.com and CERT India.

How you come to know these things who is your Idol and why?

I was in ninth grade when I watched a movie called “The Net” and felt greatly inspired by the hacking they showed in the movie. From that day, I started to search about the term “Hacking” on the internet but everything seemed to be so much complicated. It was the year 2003-2004 when one of my good friend got himself enrolled into Ankit Fadia’s Course, but eventually he failed. I borrowed his books and started reading them. Then, a few courses on the torrents helped me and I started to pick up pace in the field. Initially, I did not have the money for enrolling myself into certifications. Nevertheless, one day I found a huge poster of EC-COUNCIL in my university. I gathered the details and asked my mother to get me enrolled into CEH, but eventually she refused, due to a huge price tag of the certification. However, she agreed on paying the registration fees that was 1000/- INR and was required to appear for ambassador exam. EC-COUNCIL required ambassadors for the campus programs and luckily, I got selected. This made my certification completely free.

A few days later, InnoBuzz started a blogging competition and luckily, I was selected again. This resulted in CISE certification, free of cost.

Acquiring knowledge, I moved on further and found a bug in Offensive security last year, which made my OSWP certification completely free.

In my entire journey to date, Google was my best friend. If you ask me about my idol, my mother is my idol and no one else is. Couple of good friends like Deepankar Arora(Code Injector), Yogesh Kashyap, Vikram Pawar, Tajinder Singh, Harinder Singh have always been my hack mates and I am really lucky to have such great friends.

You started an open source project “wireless forensic framework (WFF)” what’s that actually?

WFF is an open source python driven network forensics framework, which eases forensic investigations especially on wireless LANs. It makes use of wireshark’s command line sequel Tshark and eases operations in a menu driven fashion. It consists of few test cases, which aids identifying the culprits in the wireless scenarios. Additionally, it can be easily turned into a wireless device locator in a particular region and have the abilities to fingerprint fake access points and fake Mac addresses on the network. You can download a copy of the source from Github

You have written a book “Mastering Metasploit”, what we will find in that and where to purchase your book?

Like a wise man once said, if you cannot find the book you are looking for you must write it down. You will find techniques that will aid you in writing exploits, modules and various other auxiliaries in Metasploit. You will also find various scenarios based hacking techniques. Porting of various kinds of exploits and developing modules for Armitage, is also covered in the book. As far as exploitation is concerned, I have covered plenty of exploits related to VOIP, Software Applications, SCADA, iOS etc.

I recently received a lot of appreciation for the book. In addition, I really hope the readers of your blog readers will like it too. The book can be purchased from any popular store like Amazon, Barnes and Noble, Safari Books, Flipkart, EBay, Google Play (EBook), Apple Store (EBook), PacktPub (Official), Shroff Publishers (Indian Edition)

You have written some exploits also where we can find them?

I have written a plenty of exploits, security tools and scripts on my own and some of them with the help of my hack mates. However, I believe in sharing those within the boundaries of my team only.

Initially, we used to share a lot on our hacking forum (Currently Inactive) but we found a few people leeching out our content on various other forums. Therefore, we limited the use to our team only. However, I would like to mention that it is easier to run an exploit, but it is difficult to create one. Therefore, I would like to say that for those who want free exploits, the door has closed.

It takes a good amount of time to write and exploit vulnerability and if someone leeches it, it hurts.

Nipun, you have been speaker in many infosec conferences how was the experience?

To be honest, it was a great experience. Sharing the stage with quality leaders in the industry is always awesome. Moreover, it globalizes your reach and knowledge is shared which is always a good thing to happen.

Nipun, I have seen your presentation in Slideshare of “Beyond Ethical Hacking” Really a Hacker get more money than ethical hacker does?

I guess you got it wrong. Actually, the comparison was between Ethical hacker and a Software developer.

Let me share my experience with you, I spent 7 years in my university completing from diploma to M.Tech in computer science but what I saw was that the great minds from my college getting recruited at poor packages or were not getting recruited at all.

I started earning when I was in b.tech 2nd year and by the time, I completed my M.Tech, I earned around 20 times the money I spent on my studies. It was all because of hacking.

Coming to the presentation, it was all about demonstrating the rise of security field in India and additionally it discussed the bug bounty programs. The concept of presentation was to throw light on the bright future in the field that one can achieve.

You are hall of fame of many companies how you feel? And how easy it was for you to find vulnerability of a website like Facebook, PayPal, and Adobe?

Initially, it was not that tough. However, the rise of our hacker community has almost patched some serious bugs.

If you ask me, about what does it take to be a bug bounty hunter? It requires a great dedication, patience and belief in me that yes I will not stop until I find a bug.

Finding a bug can take 2 minutes or 2 months, it depends. I advise the readers to show great patience toward bug hunting because it takes some serious amount of time.

Well, finding a bug in facebook, paypal, adobe was easy and did not take more than 5 days collectively. However, the most difficult one was the one for offensive security. Because, it started to ban the IP address for 15-20 minutes at every 2-3 malicious requests.

In addition, you have published your articles in many magazine and some whitepapers also please give some links of them to read your papers.

Well! You can find some of the following links for my articles and whitepapers below-

Please describe the future of Hacking or Ethical hacking how people can make their future in this field

Future of ethical hacking is very bright indeed. There are plenty of high paying jobs in reputed companies. I advise the readers to start with basic courses like C|EH or any other equivalent course that can provide them with theoretical as well as practical knowledge. Now, you might ask that theory is boring! However, what I feel is that it is useless to use a tool if you do not know what exactly is going on behind the scene. Therefore, I suggest readers to go for courses that cover the both.

Is there something that websites do to try to defend themselves from guys like you and some malicious Guys?

Well, companies should hire programmers that can not only develop but can also protect and have good experience in secure coding best practices. They should also consider a penetration test conducted from a reputed company both under the test and production environments. Additionally, they must encourage bug bounty programs so that the community stays happy and they should stay happy as well.